Description
This article describes how to configure SSL-VPN users authenticating against multiple SAML IdP's.
Scope
SSL-VPN with SAML authentication using multiple IdP's.
Consider a scenario where it is necessary to restrict access to SSL VPN users based on group membership, and those groups are associated with different SAML IdP's, which could be simply a multi-tenant in Microsoft Azure or different IdP's altogether, such as Forti Authenticator, GCP, Okta, DUO, and others.
Solution
On the left of the screen: User & Authentication -> User Groups -> Remote Groups
In the current FortiOS design, a user group does not support more than one SAML server.
Starting with v6.4.6, 7.0.1, and v7.2.0, although it is possible to add multiple SAML groups to a single firewall policy, the SAML groups must reference the same SAML IdP server.
It is possible, though, to create multiple firewall policies with specific firewall groups applied, where only one IdP is referenced at a time in each firewall policy.
However, in the case of SAML authentication for SSL VPN firewall policies where the source interface is the SSL-VPN interface and the source user group references a SAML server, the first firewall policy in the list will be used to choose what IdP the SAML request will be sent to.
In this case, any SAML authentication request will be sent to the first IdP matched in the firewall policies configured, and subsequent policies and IdP's will not be triggered, hence the authentication request may fail.
To overcome this design limitation, it is possible to leverage SSL VPN realms. Only the firewall policies that have a group that matches the request for that realm will be evaluated. Therefore, the SAML request will be sent to the specific IdP configured for that SAML group.
Note:
If there is already one entry for each IdP, no changes are required under '# config user saml'.
The change required will be for the portal mapping to use the specified realm rather than the default one.
Configuration Example.
Example Environment:
FortiGate WAN Interface IP and port for SSLVPN: 192.168.1.68:1444
User lombini@robertao.me is member of group Escalations from Azure SAML IdP
User lombini@colombas.me is member of group Escalations from GCP SAML iDP
SAML SP: FortiGate
SAML IdP's: Microsoft Azure and Google Cloud Platform
SAML Servers Configuration in FortiGate:
Select on the left of the screen: User & Authentication -> Single Sign On, edit or create a new Single Sign On as follows
Microsoft Azure.
Google Cloud Platform:
User groups configuration in FortiGate:
On the left of the screen: User & Authentication -> User Groups, edit or create User Groups as follows
Microsoft Azure.
Google Cloud Platform:
SSL VPN Realms configuration in FortiGate:
On the left of the screen: VPN -> SSL-VPN Realms, edit or create SSL-VPN Realms as follows
SSL VPN Portals configuration in FortiGate:
On the left of the screen: VPN -> SSL-VPN Portals, edit or create SSL-VPN Portals as follows
SSL VPN Settings configuration in FortiGate:
On the left of the screen: VPN -> SSL-VPN Settings, edit as follows
Firewall Policies configuration in FortiGate:
On the left of the screen: Policy & Objects -> Firewall Policy, edit as follows
Microsoft Azure:
Google Cloud Platform:
Verification of Deployment
SSL VPN users are listed on the 'SSL-VPN Monitor' widget from the GUI. On the left of the screen: Dashboard -> SSLVPN monitor
Users are also listed on the CLI with the command 'get vpn ssl monitor'.
It can also be verified from VPN Events:
On the left of the screen: Log & Report -> System Events
Related articles:
Technical Tip: FortiGate SAML authentication resource list
Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN
Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication
Technical Tip: Create SSL VPN with Azure SAML SSO Authentication, optional multiple SSL VPN Realms
